Vital Windows 11 certificates are expiring: how to check if you’re affected
Microsoft has recently begun replacing expiring Secure Boot certificates on eligible Windows 11 systems running 24H2 and 25H2, according to a report by BleepingComputer.
Secure Boot is an important security feature that prevents malicious software from running during system startup. It is part of Windows’ UEFI/BIOS and compares the digital signatures of software with specific keys stored in the system.
Microsoft warned back in November that the Secure Boot certificates for most Windows devices currently in use will expire in June 2026. IT administrators in particular should therefore act soon to prevent problems with affected devices.
“Without updates, Windows devices with Secure Boot enabled run the risk of not receiving security updates or trusting new boot loaders, which compromises both maintainability and security,” explains Microsoft.
Who is affected?
According to Microsoft, devices manufactured before 2024 are particularly affected. Newer Windows PCs already have the latest certificates.
Furthermore, only users whose devices also start in Secure Boot mode are affected. If this is not the case, there will be no problems. You can test whether your PC starts with Secure Boot by activating Win + R, entering “msinfo32,” and checking the value for Secure Boot Status. If it says On, Secure Boot is active.
What you can do
To check the status of the certificate currently in use, proceed as follows:
- Open Windows Powershell with admin rights.
- Enter the following command: [System.Text.Encoding]::ASCII. GetString((Get-SecureBootUEFI db).bytes)
- In the best case, you should see at least one current certificate with the timestamp 2023, for example MicrosoftUEFICertificateAuthority_2023.cer
- Tip: With the addition of -match ‘Windows UEFI CA 2023’, you can also filter directly for the certificate you are looking for and receive True or False as the answer.
If, on the other hand, the certificates are older, there is a high probability that problems will arise in June at the latest. You should therefore install the new certificates beforehand.
If this does not work, you can open the Windows Registry Editor and check under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing. WindowsUEFICA2023Capable should not have a value of 0 here, otherwise the certificate is not available.
According to Microsoft, installing a series of Windows quality updates should suffice. Once a sufficient number of “successful update signals” have been sent, Microsoft can “ensure secure and gradual deployment”. You should also enable your PC to send diagnostic data to Microsoft.
Alternatively, companies can also obtain Secure Boot certificates using special registry keys or the Windows Configuration System (WinCS). For more information, please refer to Microsoft’s official guide .